November 25, 2024 at 03:34AM
Earth Estries, a Chinese APT group, has been targeting critical sectors globally since 2023, utilizing advanced malware like GHOSTSPIDER and SNAPPYBEE. Their tactics involve exploiting public server vulnerabilities for espionage, impacting over 20 organizations across various industries. They employ a complex command-and-control infrastructure, indicating shared tools with other APTs.
**Meeting Takeaways: Earth Estries APT Group Overview**
1. **Group Identification**:
– Earth Estries, also known as Salt Typhoon, FamousSparrow, and GhostEmperor, is a Chinese APT group actively targeting critical sectors since 2023.
2. **Targeted Sectors**:
– The group has predominantly focused on telecommunications and government entities in the US, Asia-Pacific, Middle East, and South Africa, compromising over 20 organizations across various sectors, including technology, consulting, and transportation.
3. **Attack Techniques**:
– Earth Estries utilizes advanced attack vectors, including multiple backdoors (notably GHOSTSPIDER, SNAPPYBEE, and MASOL RAT), exploiting public-facing server vulnerabilities and leveraging living-off-the-land binaries for lateral movement.
4. **Initial Access and Exploited Vulnerabilities**:
– Key exploits include CVE-2023-46805 (Ivanti Connect Secure VPN) and CVE-2021-26855 (Microsoft Exchange), allowing attackers to gain control of public-facing servers and execute commands with elevated privileges.
5. **Long-term Espionage and Campaigns**:
– The group’s operations indicate a pattern of prolonged espionage, where attackers gather intelligence through compromised vendors and service providers related to telecommunications and government networks.
6. **New Discoveries**:
– The investigation uncovered advanced backdoors like GHOSTSPIDER and the use of the MASOL RAT on Linux devices targeting government networks, indicating a sophisticated level of customization in their malware.
7. **C&C Infrastructure**:
– Earth Estries employs a complex command-and-control infrastructure managed by various teams. Overlapping TTPs have been noted with other Chinese APT groups, hinting at possible shared malware tools from malware-as-a-service providers.
8. **Victimology**:
– The group has targeted organizations in multiple countries, spanning across Afghanistan, India, South Africa, the US, and other Southeast Asian nations. A victimology map details the geographical spread of these attacks.
9. **Post-exploitation Techniques**:
– During investigations, the use of living-off-the-land techniques and strategic infection spreads have been identified, including downloading malicious tools from their C&C servers.
10. **Conclusion and Recommendations**:
– Earth Estries represents a high-level threat to critical infrastructure. Organizations are advised to enhance their cybersecurity measures proactively, utilizing threat intelligence platforms to monitor and respond to potential threats effectively.
This summary encapsulates the essence and findings of the meeting regarding the Earth Estries APT group’s activities and highlights the need for vigilance in cybersecurity practices against such threats.